Defender warns you this happened.

Can this not be blocked with file permissions? Or a symlink to a file in a ro folder?

I wonder how this works on Windows, if any service overrides/resets it

The hosts file is not sacred on Windows. Anyone who is administrator can just edit it. I've done it to add domain names to localhost.

For anyone hand-wringing over this, this used to be normal. The hosts file was invented a decade before DNS. The end user, or app, would edit their hosts file purposefully after downloading a master copy from the Stanford Research Institute which was occasionally updated.

Most users won't care, especially if the Adobe installer warns them that a security warning might popup after installation. Besides, in practice, any malware editing the hosts file isn't going to get much because of HTTPS; one cannot simply redirect "google.com" traffic to their own IP without issue.